Rule: AV alerts - webshells

rules/windows/malware/av_webshell.yml

@@ -0,0 +1,28 @@
+title: Antivirus Web Shell Detection
+description: Detects a highly relevant Antivirus alert that reports a web shell
+date: 2018/09/09
+author: Florian Roth
+references:
+    - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
+tags:
+    - attack.web_shell
+    - attack.t1100
+logsource:
+    product: antivirus
+detection:
+    selection:
+        Signature: 
+            - PHP/Backdoor
+            - JSP/Backdoor
+            - ASP/Backdoor
+            - Backdoor.PHP
+            - Backdoor.JSP
+            - Backdoor.ASP
+            - "*Webshell*"
+    condition: selection
+fields:
+    - FileName
+    - User
+falsepositives:
+    - Unlikely
+level: critical